Windows AD DS Definitions
Logical | Domain Tree
A hierarchical collection of domains that share a common root domain and a contiguous Domain Name System (DNS) namespace. Savle.net hr.Savle.net this.Savle.net These all trust eachother - the same stuff goes in these
AD DS
(Active Directory Domain Services) The database that contains the users, groups, and computer accounts in a Windows Server domain.
Physical | Subnet
A site can have more than one subnet
Tree trust
A trust which is created automatically in each domain. In a tree/root trust, every tree in the forest automatically trusts every other tree in the forest.
Group Objects
Add multiple user objects to the group and they have the same access to let's say r w x a file Choose group type and scope
Managed Service Account
An account used by a service or application.
Logical | Forest
Collection of domains that have common AD DS root, schema, and global catalog Top of the domain trees that are separate but trust each other. Basically this.net and that.net can share some same objects and stuff for authentication I think.
Physical | Site
Container for AD DS objects such as computers and services that are specific to a physical location.
Physical | Domain Controller
Contains copy of AD DS database. Can process changes and replicate the changes to all other domain controllers in domain
Physical | Data Store
Copy of this is on every domain controller Stores directory info in the Ntds.dit file and associated log files D:\Windows\NTDS
Trust
Enable access to resources in a complex AD DS environment. Transitive trust - any friend of yours is a friend of mine (they can access each other) Non-transitive - create a trust between each domain (they can access each other)
To support group managed service accounts, what must you do?
Create a KDS root key Add-KdsRootKey -EffectiveImmediately New-ADServiceAccount -Name LondonSQLFarm -PrincipalsAllowedToRetrieveManagedPassword SEA-SQL1, SEA-SQL2, SEA-SQL3
Physical | Global catalog server
Domain controller that hosts the global catalog - partial read-only copy of all objects in multiple-domain forest.
Group Policy Object (GPO)
Enables network administrators to define multiple rights and permissions to entire sets of users all at one time.
Scope
Groups abilities or permissions. Local - Only for single local system Domain-local - All computers part of local domain Global - For users with similar chracteristics. Universal - Members can be from anywhere in the AD DS forest
Computer Objects
Have account and sign-in name and password and authenticate with domain Have access to resources belong to groups
Generic Containers
Like Users and Computers
Logical | Domain
Logical admin container for objects like users and computers. Domain maps to specific partition
Logical | OU (organizational unit)
Object for users, groups, and computers that provides a framework for delegating admin rights and administration by linking GPO (group policy objects) WITHIN A DOMAIN These are different than containers because containers can't have a GPO attached and OUs have a lot of management capabilities like who can manage them.
User Account
Object that contains Username Password Group Memberships Users authenticate to AD DS domain and access network resources with this.
Logical | Container
Object that provides organizational framework for use in AD DS.
Logical | Partition
Portion of AD DS database. Database consists of one file Ntds.dit Different partitions contain different data: Schema partition has copy of AD scheme Configuration partition contains config objects of forest, etc Domain
Physical | Read only domain controller
RODC Common where physical security is not optimal
RSAT
Remote Server Administration Tools Tools that let you manage Winows Server roles and features remotely Don't need to download but can enable it from settings.
Group Types
Security - primarily used to assign permissions. Distribution lists - Not security-enabled
Logical | Schema
Set of definitions of the object types and attributes that you use to define objects created in AD DS All object types
Group Managed Service Account
Used for more than one server in your domain
Active Directory Administrative Center
Used to administer and publish information in the directory, including managing users, groups, computers, domains, domain controllers, and organizational units. Cannot be installed on Domain Controller
Computer Container
Where you put computer objects
